Skip to content

A quick demo of Ansible Tower integration with Hashicorp Vault.

Notifications You must be signed in to change notification settings

bparry02/ansible-tower-hashicorp-vault

Repository files navigation

ansible-tower-hashicorp-vault

A quick demo of Ansible Tower integration with Hashicorp Vault. Based on the tutorial on the Ansible Blog.

Requirements

  1. Vagrant 2.1.1

  2. vagrant plugin install vagrant-hostmanager

  3. Download Vault 0.10.1 from the download page to the git project directory

The Ansible Tower Vagrant Box 3.2.5 with Ansible 2.5.2 was used to create this demo.

Install and Start Hashicorp Vault

Note
Follow instructions from the Vault Getting Started Guide if necessary.
  1. vagrant up

  2. vagrant ssh tower

  3. /vagrant/install-vault.sh

  4. vault -autocomplete-install

  5. vault server -dev

  6. Save the Unseal Key and Root Token

  7. Leave the server running and open a new terminal

Setup Ansible + Hashicorp Vault Integration

  1. Install pip

    sudo yum install python-pip
  2. Install required python libraries for Hashicorp Vault integration

    sudo pip install hvac jmespath
  3. Restart Tower

Populate Hashicorp Vault

Note
Make sure the vault binary is on your PATH
  1. Export the VAULT_ADDR variable that was printed when you started vault in dev mode:

    export VAULT_ADDR='http://127.0.0.1:8200'
  2. Add data to vault, using the inventory host name as the key:

    vault kv put secret/host-1 first_line=vault_sensitive_1 second_line=vault_sensitive_2
    vault kv put secret/host-2 first_line=VAULT_some_sensitive_1 second_line=VAULT_some_other_sensitive_2

Run playbook with normal ansible

  1. Clone the repo: git clone https://github.com/bparry02/ansible-tower-hashicorp-vault.git

  2. Run the playbook:

    echo -e "host-1\nhost-2" > inventory
    ansible-playbook apache.yml -i inventory -b
    ansible-playbook debug.yml -i inventory -e vault_token=[TOKEN]
    ansible-playbook index_html_create.yml -i inventory -e vault_token=[TOKEN] -b
  3. Verify with curl:

    $ curl http://host-2
    <body>
    <h1>Apache is running fine</h1>
    <h1>This is field "First Line": VAULT_some_sensitive_1</h1>
    <h1>This is field "Second Line": VAULT_some_other_sensitive_2</h1>
    </body>

Create custom credential type in Ansible Tower for Hashicorp Vault

  1. Settings > Credential Types > Add

    Input Configuration
    fields:
      - type: string
        id: vault_server_url
        label: URL to Vault Server
      - type: string
        id: vault_token
        label: Vault Token
        secret: true
    required:
      - vault_server_url
      - vault_token
    Injector Configuration
    env:
      VAULT_ADDR: '{{ vault_server_url }}'
      VAULT_TOKEN: '{{ vault_token }}'
  2. Save

  3. Settings > Credentials > Add

    1. Name: Local Hashicorp Vault

    2. Credential Type: Hashicorp Vault

    3. URL: http://127.0.0.1:8200

    4. Token: [TOKEN]

  4. Save

Add an Inventory for the vagrant target hosts

  1. Inventories > Add

    • Name: vagrant

    • Hosts > Add Host

      • Host-Name: host-1

      • Save

    • Hosts > Add Host

      • Host-Name: host-2

      • Save

  2. Save

Add sample project

  1. Projects > Add

  2. Save

Create a job that tests Hashicorp Vault configuration

  1. Templates > Add > Job Template

    • Name: debug vault

    • Job Type: Run

    • Inventory: vagrant

    • Project: tower-hashicorp-vault

    • Playbook: debug-tower.yml

    • Credential: Machine, Local Hashicorp Vault

  2. Run the Template

    PLAY [Check Hashicorp Vault values] ********************************************
    TASK [Gathering Facts] *********************************************************
    ok: [host-1]
    ok: [host-2]
    TASK [check host values for first_line] ****************************************
    ok: [host-2] => {
        "msg": "First line is: VAULT_some_sensitive_1"
    }
    ok: [host-1] => {
        "msg": "First line is: vault_sensitive_1"
    }
    TASK [check host values for second_line] ***************************************
    ok: [host-2] => {
        "msg": "Second line is: VAULT_some_other_sensitive_2"
    }
    ok: [host-1] => {
        "msg": "Second line is: vault_sensitive_2"
    }
    PLAY RECAP *********************************************************************
    host-1                     : ok=3    changed=0    unreachable=0    failed=0
    host-2                     : ok=3    changed=0    unreachable=0    failed=0

About

A quick demo of Ansible Tower integration with Hashicorp Vault.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages